The Blame Game

Page Tools

The high profile of corporate governance might lead the casual observer to assume that compliance with IT-related legislation is somehow a new phenomenon. Certainly in this post-Enron era, there is a tranche of new legislation to focus corporate attention upon and the role of the compliance officer has never been more prominent.

But while Sarbanes-Oxley and Basel II might be the laws du jour, one of the most important pieces of IT-related law has been around for close on three decades – and it remains one of the most misunderstood and most-breached pieces of legislation on the statute books. In fact the data archiving requirements of the new legislation places increasing importance on that most established of laws: the Data Protection Act (DPA).

The requirements of the DPA are universal. All UK-based businesses are compelled to adhere to the Act – although there is disturbing evidence of a lack of awareness of what this means in practice, particularly among small and medium enterprises. Failure to comply with the Act can lead to financial penalties as well as to long-term reputation and brand damage – if a company cannot offer adequate protection for personal data in a digital economy then its likelihood of commercial success is significantly reduced. Some companies assume that the DPA only covers data held on computers. While this was the case with the original 1984 legislation, the DPA 1998 – introduced in 2000 – covers all personal data relating to living identifiable individuals held on computer systems, but also manual records, including paper files, card indices and microfiche systems.

In other words, pretty much every format on which data can be stored, so there is no get out clause by not holding computer records.

Having been around for so long it might be expected that the DPA would be a stable and well-understood piece of legislation, but in fact recent months have indicated that its longevity offers no such guarantees. Quite the opposite in some cases. It is a cliché to say that the law is an ass, but in the case of the DPA it seems all too often that the law is for asses to hide behind.

Losing your faithFor example, it was recently reported that thousands of terminally ill patients are being denied access to the Last Rites with the DPA being cited as the reason why NHS Trusts refuse to disclose the religious backgrounds of their patients.

According to the Hospital Chaplaincies Council, chaplains were previously automatically provided with lists of patients’ religious faiths, but now many hospitals have stopped this practice fearing they are in breach of the DPA. The trusts claim that such information is “too sensitive” to share with chaplains.

Patients therefore need to make it clear when they enter hospital that they wish to see a chaplain in the event of their condition declining. Clearly this is not helpful in the case of, for example, a car accident where the patient may be unconscious from the moment he or she enters the hospital.

Higher profile examples can be found where corporations have chosen to cite the DPA inappropriately in an attempt to justify their actions. Last winter a pair of old age pensioners were found dead after British Gas cut off their supply. The company claimed the DPA prohibited the firm from passing information on the desperate situation of the couple to social services, a claim that was later withdrawn.

Most notoriously of all, Soham child killer Ian Huntley escaped detection despite previous allegations of sex offences that were deleted by police who claimed they thought they were obliged to do so by the DPA. This claim was later withdrawn when the police admitted that its data management procedures were at fault, but it is yet another example of the Act being clung to like some kind of organisational comfort blanket to fend off blame.

The Information Commissioner – responsible for the implementation and enforcement of the Act – has spoken out against this sort of hiding behind the terms of the legislation, pointing out in the cases of British Gas and the police that their interpretations of their requirements are inherently flawed.

Assistant information commissioner Phil Jones is pragmatic in his attitude towards this. “My personal view is that the Act is not as complicated as some people make it out to be,” he argues. “People blame the Act and its requirements when it is not always appropriate. That said, life is complicated and complex.

“There is a risk of people wanting to reduce everything to a set of fast rules when really they often need to be making a fairly subtle set of judgements. When we get old, for example, at what stage do we say it’s all right for people to run roughshod over us and start passing around data about us. If you go into hospital and you’re told you need to have an operation, you can say no and they can’t do it. Data protection should really enforce what sensible people would do anyway. If someone rings up and says that they are the spouse or partner of a customer, then there’s a good reason to be wary, DPA notwithstanding. The real problem is that people sometimes use the term data protection inappropriately.

“There are times when it’s quite appropriate that they shouldn’t give out information, but rather than parrot the DPA as an excuse, they should be upfront about it. It is an irritation because it does demonise the Act.”

Blame cultureNonetheless the rise of the ‘blame culture’ in the UK has led to increasing calls for a so-called common sense guide to the Act.

“We do use the simplest possible language to explain the law,” insists Jones. “But the question of common sense can get confused with this. What we don’t want to have is a law that says any uncorroborated allegation about anyone by anyone else can be kept. This is where common sense comes into play. Some of these are going to be decisions that you can’t write a book about. You really can’t hope to do a one size fits all piece of legislation.”

Indeed there are plenty of companies and organisations that seem perfectly able to make the distinction. “We have always tried to take a common sense approach to data protection,” says Chris Kadwill, ICT manager for Luton Borough Council. “We’ve tried to find what a typical lay person’s view on the subject would be and tried to handle responses in a practical, common sense way. The key thing with freedom of information type issues is that you don’t want to keep anything for any longer than you need. You must not squirrel things away for posterity. The information that you keep on record shouldn’t be excessive. Some types of information need to be held for longer than others. For example, you will need to hold on to social care information for a long time, but that doesn’t negate getting rid of the housekeeping and superfluous information that may be surrounding it.” The data challenge “It’s a big challenge for any organisation. Everyone holds on to more information than they need to at first. We’re doing an information audit at the moment to try to find out what we do and don’t need to hold on to.”

But there will still be organisations that are nervous of the Act’s requirements. “The principles of the DPA are generally clear, however there is a widespread perception that data protection is complicated,” says Mark Stanhope, information security designer at BACS, the UK banks’ clearing house. “This could undermine public confidence and place disproportionate burdens on organisations which in turn could damage the underlying importance given to the principles.”

“Common sense guidelines should provide better clarity for the application of the Data Protection Act and we understand that the Information Commissioner is committed to providing a practical down-to-earth approach to promoting good data protection practice,” says Stanhope. “The DPA is one of the key drivers for our Information Security Policies, and thereby BACS’ security infrastructure, and it is recognised that failure to comply with the requirements of the Act could render members of staff personally liable to prosecution.”

But Stanhope identifies a new problem for organisations with the onset of a new piece of datacentric legislation that may conflict with the requirement of the DPA. How do organisations effectively prioritise which laws to adhere to when there is seemingly conflict? “We will need to be fully aware of the pending Freedom of Information Act (FOI) due to be implemented in January 2005, which is likely to have major implications for data protection practitioners and the 1998 Act,” he says. The conflict between data protection and freedom of information is an area which is likely to task the public sector in particular.

“Government must not be a secretive machine, locked away from public view,” says Information Commissioner Richard Thomas. “Public bodies have had nearly four years to prepare for FOI and they must be ready to hit the ground running when FOI comes into force – ignorance or lack of preparation time are not excuses we will be able to accept.”

Information freedomAgain common sense will be called for to resolve potential conflicts in policy. “I’m encouraged by the commitment voiced and demonstrated among public bodies to Freedom of Information but fine words are not enough,” argues Thomas. “Training is underway, FOI champions have been appointed and a culture change has been promised but the real test will come in just five months time when the Act comes into full force.”

In the private sector, a major issue facing an increasing number of companies is that of data protection when corporate assets are transferred under outsourcing agreements, particularly in light of the current trend of offshoring to countries such as India whose data protection regimes are not perceived to be as robust as those of European countries. The DPA requires only that companies maintain their server within EU boundaries despite the fact data is being processed thousands of miles away.

Opponents of outsourcing to India have often cited the absence of a data protection and privacy law in India as a strong reason for stopping the movement of call centre and BPO work to the country. Labour members of the European Parliament, affiliated with the Amicus trade union in the UK, claim that offshore outsourcing is “an accident waiting to happen”.

There have been reports that organised gangs offered a year in wages to Indian call centre staff in return for access to UK credit card details, while US credit card giant Capital One pulled out of India after unauthorised credit levels were offered by call centres.

To appease these concerns, the Indian government is currently amending The Information Technology Act of 2000 which currently covers only unauthorised access and data theft from computers and networks and does not have specific provisions relating to privacy of data.

The new clauses are likely to enable the Act to conform to the so-called adequacy norms of the European Union’s (EU) Data Protection Directive, which allow the EU to declare that third-party countries have levels of data protection that conform to European standards and thus allow data on EU citizens to be transmitted outside of the union.

In the meantime, the phrase common sense is applicable yet again. “If you are a major UK company and you outsource to Mombai, you remain responsible for all the data being used properly,” says Jones. “Most companies are concerned enough about their reputation to remain responsible for their data being used properly. They need to ensure the staff have been monitored, the appropriate security measures are in place and so on. Then they can move their operations offshore if they are satisfied their data is not at extra risk. Without being complacent, it is our impression that offshoring is not something that major companies do lightly.

High profile projects“To the best of my knowledge, we have no evidence of misuse to date. Indeed, given the highly political profile of some of these projects, I think most companies would work all the harder to ensure that it’s done properly. Now it’s a different issue if you want to have sensitive data in a lawless society or somewhere where the computers might be seized at any moment, but most stable democracies have a vested interest in making sure data is protected.”

The overall message is that in an ever more regulated world, data protection needs to remain a priority for all organisations and companies. That in turn means someone taking responsibility for it. That could be the compliance officer in larger organisations or someone at board level in smaller firms. IT is an enabler here, but it is unlikely to be appropriate for IT managers to assume responsibility for strategy. Data protection is a wider corporate issue in which IT plays a crucial part, but only a part.

Data protection is also an issue that needs to be addressed across the entire organisation.

“Responsibility lies within information management,” says Luton’s Kadwill. “We have a corporate officer who is responsible for data protection for the whole organisation and he works with local officers across a network of staff. From a guidance point of view, it comes from the centre.”

Employees also have their part to play. “The company secretary is the data protection compliance officer for BACS,” says Stanhope. “The company has adopted and published a number of information security policies. One of these addresses specifically the requirements of the Data Protection Act. All computer users within the company from their desktop can access these policies. BACS employees are personally responsible for ensuring that they and their colleagues are aware of these policies and comply with the policies in their work.”

For his part, Jones sees it as being up to individual organisations as to where data protection responsibility lies. “It’s not for us to dictate,” he says. “Sometimes it will be the legal department, sometimes those responsible for regulatory compliance. The trick is less about where it is stored in IT systems and more about where the responsibility lies. It needs to be a problem that everyone takes a hand in, not just IT.” “To the best of my knowledge, we have no evidence of misuse to date. Indeed, given the highly political profile of some of these projects, I think most companies would work all the harder to ensure that it’s done properly. Now it’s a different issue if you want to have sensitive data in a lawless society or somewhere where the computers might be seized at any moment, but most stable democracies have a vested interest in making sure data is protected.”

The overall message is that in an ever more regulated world, data protection needs to remain a priority for all organisations and companies. That in turn means someone taking responsibility for it. That could be the compliance officer in larger organisations or someone at board level in smaller firms. IT is an enabler here, but it is unlikely to be appropriate for IT managers to assume responsibility for strategy. Data protection is a wider corporate issue in which IT plays a crucial part, but only a part.

Data protection is also an issue that needs to be addressed across the entire organisation.

“Responsibility lies within information management,” says Luton’s Kadwill. “We have a corporate officer who is responsible for data protection for the whole organisation and he works with local officers across a network of staff. From a guidance point of view, it comes from the centre.”

Employees also have their part to play. “The company secretary is the data protection compliance officer for BACS,” says Stanhope. “The company has adopted and published a number of information security policies. One of these addresses specifically the requirements of the Data Protection Act. All computer users within the company from their desktop can access these policies. BACS employees are personally responsible for ensuring that they and their colleagues are aware of these policies and comply with the policies in their work.”

For his part, Jones sees it as being up to individual organisations as to where data protection responsibility lies. “It’s not for us to dictate,” he says. “Sometimes it will be the legal department, sometimes those responsible for regulatory compliance. The trick is less about where it is stored in IT systems and more about where the responsibility lies. It needs to be a problem that everyone takes a hand in, not just IT.”